CVE-2020-7105 : What You Need to Know

async.c and dict.c in libhiredis.a in hiredis through 0.14.0 allow a NULL pointer dereference because malloc return values are unchecked.

Understanding CVE-2020-7105

This CVE involves a vulnerability in hiredis through version 0.14.0 that can lead to a NULL pointer dereference due to unchecked malloc return values.

What is CVE-2020-7105?

The vulnerability in async.c and dict.c in libhiredis.a in hiredis through version 0.14.0 allows for a NULL pointer dereference, potentially leading to a denial of service or arbitrary code execution.

The Impact of CVE-2020-7105

The unchecked malloc return values can be exploited by attackers to cause a denial of service condition or potentially execute arbitrary code on the affected system.

Technical Details of CVE-2020-7105

Vulnerability Description

The vulnerability arises from async.c and dict.c in libhiredis.a in hiredis through version 0.14.0, where malloc return values are not properly validated, leading to a NULL pointer dereference.

Affected Systems and Versions

Product: Not applicable
Vendor: Not applicable
Versions affected: hiredis through 0.14.0

Exploitation Mechanism

Attackers can exploit this vulnerability by crafting malicious inputs to trigger the unchecked malloc return values, leading to a NULL pointer dereference.

Mitigation and Prevention

Immediate Steps to Take

Update hiredis to version 0.14.1 or later to mitigate the vulnerability.
Monitor vendor security advisories for any patches or workarounds.

Long-Term Security Practices

Regularly update software and libraries to the latest versions.
Implement secure coding practices to validate memory allocations and prevent NULL pointer dereferences.

Patching and Updates

Apply patches provided by the vendor promptly to address the vulnerability and enhance system security.